Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

chore: replace polyfill.io #1675

Draft
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

SukkaW
Copy link

@SukkaW SukkaW commented Mar 1, 2024

Thank you for opening a Pull Request!


Before submitting your PR, there are a few things you can do to make sure it goes smoothly:

  • Make sure to open a GitHub issue as a bug/feature request before writing your code! That way we can discuss the change, evaluate designs, and agree on the general idea
  • Ensure the tests and linter pass
  • Code coverage does not decrease (if any source code was changed)
  • Appropriate docs were updated (if necessary)

Fixes #1674 by replacing polyfill.io w/ cdnjs.cloudflare.com/polyfill.

@shuuji3
Copy link

shuuji3 commented May 22, 2024

@SukkaW Hello, I think this PR looks good to me. With this change, by running npm run build, I confirmed the updated sample codes were generated under dist/samples as expected. Would you change this PR from Draft state to Open?

I have further concerns about this polyfill.io takeover now. Because the new owner didn't provide any clear answer to the original issue, but also they silently deleted that GitHub Issue (https://github.com/polyfillpolyfill/polyfill-service/issues/2834). Here's the Wayback machine's archive for reference: https://web.archive.org/web/20240318120623/https://github.com/polyfillpolyfill/polyfill-service/issues/2834

@shuuji3
Copy link

shuuji3 commented Jun 26, 2024

Unfortunately, it seems like exploitation has already begun now and the Google Ads team started sending warnings to its users: Polyfill.io JavaScript supply chain attack impacts over 100K sites - https://www.bleepingcomputer.com/news/security/polyfillio-javascript-supply-chain-attack-impacts-over-100k-sites/

Could we review and merge this change soon so as not to increase the risk to Google Maps Platform users? Some developers should reuse the example code including polyfill.io and are likely to deploy it in the production service. I'm worrying that such incidents potentially hurt Google Maps' reputation too if it was not mitigated appropriately.

/cc @willum070 Sorry, let me ping you since I see you've been active in this repository recently and I expected you could ask to review this by Google Maps team.

@shuuji3
Copy link

shuuji3 commented Jun 27, 2024

@amuramoto Thanks for the mitigation by #1765! 🙂

Now IE has already been deprecated on the web so I believe all modern browsers no longer need Polyfill to work Google Maps Platform API well without any issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Replacing polyfill.io
2 participants